Topic
  • 14 replies
  • Latest Post - ‏2016-04-08T13:53:43Z by VanOppensTom
Ronenbe
Ronenbe
24 Posts

Pinned topic How to get cert details using SOMA

‏2013-07-09T09:01:30Z |

Hi

I need to get the crypto certificate filename details ( like serial number, Issuer, Subject etc) from different domain.

I am using  dp:get-cert-details stylesheet function but it is not useful when the crypto certificate object is in other domain

Is there a way to get certificate details using soma?

Is there any other way to implement this?

 

Regards 

Ronen

  • HermannSW
    HermannSW
    5814 Posts
    ACCEPTED ANSWER

    Re: How to get cert details using SOMA

    ‏2013-07-14T12:14:52Z  

    Hi Pradeep,

     

    I am also looking for a same requirement, I have voted for the RFE could you please let me know if you have any other solution

    It is a big challenge for me to create a service in each domain for this purpose, A soma request would make my life easier.

     

    Thanks,

    Ruben

    Hi Ruben,

    SOMA request will only be possible AFTER RFE has been accepted and AFTER it has been implemented and shipped -- this will take time.

    > It is a big challenge for me to create a service in each domain for this purpose,
    >
    What about the fllowing idea?

    • create a service allowing all you want for the certs in a specific domain
    • test the service
    • disable it (in Objects screen)
    • export that service
    • import that service into every domain you are interested

    By that procedure you have "the same" disabled service in every domain.

    For executing a service in domain "domN", send three requests:

    1. SOMA request enabling the service in domain "domN"
    2. request against now active service and retrieve all the results you want
    3. SOMA request disabling the service in domain "domN"

    By having at most one service enabled at a time by this procedure this allows all services (in fact many incarnations of one service) to share same FSH across application domains.

    I just tested it by disabling my "coproc2" service, exporting after apply, importing that export into two new app domians -- works fine!



    Hermann<myXsltBlog/> <myXsltTweets/> <myCE/>

    Updated on 2013-07-14T12:19:29Z at 2013-07-14T12:19:29Z by HermannSW
  • HermannSW
    HermannSW
    5814 Posts

    Re: How to get cert details using SOMA

    ‏2013-07-09T14:26:53Z  

    The easiest would be to create a new service in the other domain,

    listening on 127.0.0.1 interface and using  dp:get-cert-details() in stylesheet to get the details you need.

     

    Hermann<myXsltBlog/> <myXsltTweets/> <myCE/>

  • swlinn
    swlinn
    1395 Posts

    Re: How to get cert details using SOMA

    ‏2013-07-09T14:28:26Z  

    Hi Ronen,

    I'm not aware of any SOMA mechanism to do this.  Perhaps you should submit an RFE to get this capability into the product.  All I can think of for you to do today is to have a service in the target domain that gets the information via get-cert-details, and you can issue a http://127.0.0.1:<serviceport> GET request from the source domain to get the information from that service. 

    Regards,

    Steve

  • PradeepMalineni
    PradeepMalineni
    31 Posts

    Re: How to get cert details using SOMA

    ‏2013-07-10T05:02:32Z  
    • swlinn
    • ‏2013-07-09T14:28:26Z

    Hi Ronen,

    I'm not aware of any SOMA mechanism to do this.  Perhaps you should submit an RFE to get this capability into the product.  All I can think of for you to do today is to have a service in the target domain that gets the information via get-cert-details, and you can issue a http://127.0.0.1:<serviceport> GET request from the source domain to get the information from that service. 

    Regards,

    Steve

    I have created the RFE could you share the below link to vote for the RFE.

    http://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe&CR_ID=36931

     

    Thanks,

    Pradeep Malineni

  • RubenRandall
    RubenRandall
    91 Posts

    Re: How to get cert details using SOMA

    ‏2013-07-14T05:58:34Z  

    Hi Pradeep,

     

    I am also looking for a same requirement, I have voted for the RFE could you please let me know if you have any other solution

    It is a big challenge for me to create a service in each domain for this purpose, A soma request would make my life easier.

     

    Thanks,

    Ruben

  • HermannSW
    HermannSW
    5814 Posts

    Re: How to get cert details using SOMA

    ‏2013-07-14T12:14:52Z  

    Hi Pradeep,

     

    I am also looking for a same requirement, I have voted for the RFE could you please let me know if you have any other solution

    It is a big challenge for me to create a service in each domain for this purpose, A soma request would make my life easier.

     

    Thanks,

    Ruben

    Hi Ruben,

    SOMA request will only be possible AFTER RFE has been accepted and AFTER it has been implemented and shipped -- this will take time.

    > It is a big challenge for me to create a service in each domain for this purpose,
    >
    What about the fllowing idea?

    • create a service allowing all you want for the certs in a specific domain
    • test the service
    • disable it (in Objects screen)
    • export that service
    • import that service into every domain you are interested

    By that procedure you have "the same" disabled service in every domain.

    For executing a service in domain "domN", send three requests:

    1. SOMA request enabling the service in domain "domN"
    2. request against now active service and retrieve all the results you want
    3. SOMA request disabling the service in domain "domN"

    By having at most one service enabled at a time by this procedure this allows all services (in fact many incarnations of one service) to share same FSH across application domains.

    I just tested it by disabling my "coproc2" service, exporting after apply, importing that export into two new app domians -- works fine!



    Hermann<myXsltBlog/> <myXsltTweets/> <myCE/>

    Updated on 2013-07-14T12:19:29Z at 2013-07-14T12:19:29Z by HermannSW
  • S57X_Nicholas_Gomez
    S57X_Nicholas_Gomez
    2 Posts

    Re: How to get cert details using SOMA

    ‏2015-01-05T20:04:53Z  
    • HermannSW
    • ‏2013-07-14T12:14:52Z

    Hi Ruben,

    SOMA request will only be possible AFTER RFE has been accepted and AFTER it has been implemented and shipped -- this will take time.

    > It is a big challenge for me to create a service in each domain for this purpose,
    >
    What about the fllowing idea?

    • create a service allowing all you want for the certs in a specific domain
    • test the service
    • disable it (in Objects screen)
    • export that service
    • import that service into every domain you are interested

    By that procedure you have "the same" disabled service in every domain.

    For executing a service in domain "domN", send three requests:

    1. SOMA request enabling the service in domain "domN"
    2. request against now active service and retrieve all the results you want
    3. SOMA request disabling the service in domain "domN"

    By having at most one service enabled at a time by this procedure this allows all services (in fact many incarnations of one service) to share same FSH across application domains.

    I just tested it by disabling my "coproc2" service, exporting after apply, importing that export into two new app domians -- works fine!



    Hermann<myXsltBlog/> <myXsltTweets/> <myCE/>

    Any update on this? This really needs to be something we can do via CLI or SOMA interface.

  • HermannSW
    HermannSW
    5814 Posts

    Re: How to get cert details using SOMA

    ‏2015-01-05T21:47:58Z  

    Any update on this? This really needs to be something we can do via CLI or SOMA interface.

    The RFE is still in state Under consideration:
    https://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe&CR_ID=36931

    It will remain in this state until DataPower product management will have decided on it ...


    Hermann.

  • Kumar_Y
    Kumar_Y
    380 Posts

    Re: How to get cert details using SOMA

    ‏2015-07-15T14:37:23Z  
    • HermannSW
    • ‏2015-01-05T21:47:58Z

    The RFE is still in state Under consideration:
    https://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe&CR_ID=36931

    It will remain in this state until DataPower product management will have decided on it ...


    Hermann.

    Hi Hermann,

     

    Can we have same logic for enabling and disabling the probe?

  • HermannSW
    HermannSW
    5814 Posts

    Re: How to get cert details using SOMA

    ‏2015-07-15T15:25:02Z  
    • Kumar_Y
    • ‏2015-07-15T14:37:23Z

    Hi Hermann,

     

    Can we have same logic for enabling and disabling the probe?

    For enabling Probe you would do <dp:modify-config> with  <mAdminState>enabled</mAdminState> in SOMA.

  • Kumar_Y
    Kumar_Y
    380 Posts

    Re: How to get cert details using SOMA

    ‏2015-07-15T15:41:03Z  
    • HermannSW
    • ‏2015-07-15T15:25:02Z

    For enabling Probe you would do <dp:modify-config> with  <mAdminState>enabled</mAdminState> in SOMA.

    Thanks Hermann. But we don't have any Dp function for enabling probe right?

  • HermannSW
    HermannSW
    5814 Posts

    Re: How to get cert details using SOMA

    ‏2015-07-15T15:59:53Z  
    • Kumar_Y
    • ‏2015-07-15T15:41:03Z

    Thanks Hermann. But we don't have any Dp function for enabling probe right?

    You have -- Probe is just a service config setting, so you need SOMA to change that config setting (mAdminStae) and you can.

  • Kumar_Y
    Kumar_Y
    380 Posts

    Re: How to get cert details using SOMA

    ‏2015-07-15T16:09:59Z  
    • HermannSW
    • ‏2015-07-15T15:59:53Z

    You have -- Probe is just a service config setting, so you need SOMA to change that config setting (mAdminStae) and you can.

    Hi Hermann,

     

    Thanks for the response. I think to enable the probe you need to have r+w access for sure. By doing so basically you are giving access to change the config of the objects. Based on my research in the form it seems you can't have group created for enabling just probe. 

  • S57X_Nicholas_Gomez
    S57X_Nicholas_Gomez
    2 Posts

    Re: How to get cert details using SOMA

    ‏2016-04-07T18:03:37Z  

    After 2 years this RFE is still "Under Consideration" and it's still causing us pain. How do we get this escalated to IBM? Is there a way to reach out to the DataPower community to make this something we all decide needs to be added ASAP?

  • VanOppensTom
    VanOppensTom
    44 Posts

    Re: How to get cert details using SOMA

    ‏2016-04-08T13:53:43Z  

    I created a solution for this issue on a seperated machine. To audit CryptoCertificate object on DataPower

    To get the certificates there i need the names of the CryptoCertificate objects. I use the following options
    - i monitor the audit log for CryptoCertificate  and parse the name of the object for that
    - periodicly i get all the objects names by using SOMA

    SOMAGETCRYPTOOBJECTS.xml

    For each CryptoCertificate name (the list coming from parsing the reponse of the soma call or the name coming from the audit log)
    I then create an export of that certificate

    SOMAEXPORTCERT.xml

    This file i then download this using SOMA

    SOMADOWNLOADFILE.xml
    This file looks something like this

    CERTEXPORTEXAMPLE.xml

    From that file i only take the base64 and add ---------BEGIN CERTIFICATE------------\n and \n------------END CERTIFICATE--------

    And last but not least that file i audit using OpenSSL to check the CA chain.
    But you could do anything you want with that certificate.

    Updated on 2016-04-08T14:05:15Z at 2016-04-08T14:05:15Z by VanOppensTom